Popular NAS Device May Easily Be Compromised

Western Digital has a big problem, and if you use the company’s “My Cloud” network-attached storage (NAS) storage devices, you’ve got one too. The WD My Cloud service is enormously popular because it’s so convenient, allowing both business owners and individuals to store their files, perform periodic backups, and of course, access their data from anywhere in the world.

Recently, security researchers have discovered an authentication bypass vulnerability that could allow an attacker to gain admin-level control over the device. This means they’d be able to monitor all of the files sent to, opened, or deleted on it, make copies of, or even delete the files found there.

The vulnerability has been given the designation CVE-2018-17153 and is about as serious as it gets. Without going into the technical details, essentially, all a hacker would have to do to take complete control over the device is for the hacker to “tell” the device that he’s an Admin via an uploaded cookie file. The device will accept it with no password required.

When the researchers notified Western Digital of the security flaw, they also released a proof of concept detailing the attack, and disturbingly, it can be executed using just six lines of code.

There is one silver lining in that to make use of the exploit, the hacker would need either local access or an internet connection to a specific WD My Cloud device. But this is a relatively low bar that most any experienced hacker could clear without a trace.

Western Digital has responded quickly, and according to a recent blog post on the company’s website, promises to have a patch that will resolve the issue “within a few weeks.” They also stressed to their customers the importance of ensuring that the firmware on all their products is always up to date and recommended enabling auto updates.

It’s good advice that will simplify your life and ensure you never miss an update, although not always practical for SMBs.